decalage2
commented
4 years ago I finally found the bug and fixed it: see https://github.com/decalage2/oletools/issues/455#issuecomment-693655085
Closed ANT1993 closed 4 years ago
decalage2
commented
4 years ago I finally found the bug and fixed it: see https://github.com/decalage2/oletools/issues/455#issuecomment-693655085
decalage2
commented
4 years ago This issue is now fixed in oletools 0.56.
Affected tool: olevba
Describe the bug With a specific document the olevba.analyze_macros() raise a exception in line 3413 and/or 3735 because vba_code is bytes. https://github.com/decalage2/oletools/blob/028634725b14677b01de76c7169d794e89b63887/oletools/olevba.py#L3413 https://github.com/decalage2/oletools/blob/028634725b14677b01de76c7169d794e89b63887/oletools/olevba.py#L3735
File/Malware sample to reproduce the bug https://www.virustotal.com/gui/file/1e6d72e0cbe34cf8e016857317b9f98050f492c3098971644ccef8b6c7db77c8/details It's malware. If you want the file you can contact me.
(https://github.com/decalage2/oletools/files/4846132/1e6d72e0cbe34cf8e016857317b9f98050f492c3098971644ccef8b6c7db77c8.docx)
How To Reproduce the bug Extract macros with olevba:
vbaparser = VBA_Parser(file_path) if vbaparser: if vbaparser.detect_vba_macros(): vbaparser.analyze_macros()Version information:
Additional context I've solved the error decoding bytes to string if it's instance of bytes in line 3359. https://github.com/decalage2/oletools/blob/028634725b14677b01de76c7169d794e89b63887/oletools/olevba.py#L3359
Solved with:
if isinstance(vba_code, bytes): vba_code = bytes2str(vba_code)